and Traffic Analysis
Agenda A Quick Review of A Collection of Common Network Traffic Tools This Will be a Play As We Go Lecture The Tools We Will Cover: FlowTools, Sniffers, Graphical, and Hacker 2
FlowTools flow-capture, flow-cat, flow-nfilter, flow-report Sniffers tcpdump, (snort), nload, iptraf Graphical Tools wireshark, etherape, ntop Hacker Tools dsniff, driftnet, ettercap 3
Warning We ll Be Sniffing Traffic From Here On Out dsniff will be running during this lecture We ll Report At the End If We Caught Anything 4
Monitoring Location Tends to be at the Distribution Layer (center) of Your Network On HP Switches, it s called the Monitor Port On Cisco Switches, it s called the SPAN Port Cisco Switches have much more powerful Capabilities for controlling the Monitoring, can control RX and TX, and even forward to another switch: RSPAN 5
Monitor Location Can be Off a passive Optical Splitter (fiber) Need Out-of-Band Management Only (you do not want this box getting hacked... ever!) Requires Powerful Box: CPU/MEMORY/IO May need to tune NIC May need to tune OS see: ethtool, and sysctl 6
Promiscuous Mode Some of These Commands do NOT put the interface into promiscuous mode. To sniff all frames you need to be in promiscuous mode. This means your NIC will pay attention to more frames instead do just your own IP/MAC frames. To force promiscuos mode if necessary: sudo ifconfig eth0 promisc To turn off promiscuos mode if necessary: sudo ifconfig eth0 -promisc 7
FlowTools A Cisco Router Export Flow Format: NetFlow A Standard for Connecting Packet Statistics Information tends to include additional Router Information, such as ASPATH You must configure the router to export flows Different Versions: v5, v7, etc. Make sure that you export a version that is the same as your collector 8
FlowTools How it Works The Router Samples Packets This is a lossy Mechanism Flows are connection oriented The export to the collector is over UDP The Traffic can be fairly High A Single SYN packet will generate a flow 9
FlowTools Installation on the Collector sudo apt-get install flow-tools dpkg -L flow-tools Configuration in /etc/flow-tools Startup is /etc/init.d/flow-capture Startup config is /etc/init.d/flow-capture.conf Example: -w /var/flow 0/0/3002 Listen on port 3002 from anywhere 10
FlowTools Simple Processing Example: Report All Flows For Yesterday #!/usr/bin/perl @files=`find /flows -type f -daystart -mtime -1`; chomp(@files); foreach $file (@files) { open(input,"flow-cat $file flow-report "); while(<input>) { print; } } 11
FlowTools: Output Format Defaults for flow-report command Configured in: /etc/flow-tools/stat.cfg Sorting can be any of: flows,octets,packets duration,avg-pps,min-pps,max-pps, avg-bps,minbps,max-bps 12
FlowTools: Output Format stat-report default type @{TYPE:-ip-source/destination-address/ ip-protocol/ip-tos/ip-source/destination-port} output format ascii sort @{SORT:-+flows} fields @{FIELDS:-+} options @{OPTIONS:-+header,+xheader,+totals} path flow-rptfmt @{RPTOPT:--f ascii} stat-definition default report default 13
FlowTools: Filter Format Define Address Matches Filter "Primitives" plus Filter "Definitions" To Make Matches filter-primitive UDPTCP type ip-protocol permit tcp permit udp filter-definition udptcp match ip-protocol UDPTCP filter-primitive mynetaddr type ip-address-mask permit 123.234.0.0 255.255.0.0 default deny filter-definition mynet match ip-source-address mynetaddr match ip-destination-address mynetaddr 14
FlowTools: Commands Flow Tools Binaries - Chaining Commands % flow-cat # concatenate binary flow files and output % flow-nfilter # apply filters to input flow stream % flow-report # process and output flow reports Example: flow-cat $filelist flow-nfilter -F $filterdef flow-report -S $report-format 15
FlowTools: Web Interface There are Three Web CGI Interaface Tools FlowViewer, FlowGrapher, and FlowTracker Website: http://ensight.eos.nasa.gov/flowviewer/ 16
FlowReport 17
FlowViewer 18
FlowGrapher 19
SNIFFERS 20
TCPDUMP Can Do Flag Matching Using TCPDUMP Summary Here: http://www.security-forums.com/viewtopic.php?t=22770 SYN Grabbing: 'tcp[13] & 0xFF == 0x2' SYN/ACK Grabbing: 'tcp[13] & 0xFF == 0x12' Example Command Line: /usr/sbin/tcpdump -n -i eth1 -s 64 -w /data/tcp/synackdata/${hour} 'tcp[13] & 0xFF == 0x12' < /dev/null 1>/dev/null 2>&1 & 21
TCPDUMP TRY IT! run tcpdump on the command-line, match SYN using the flags option: 'tcp[13] & 0xFF == 0x02' 22
NLOAD This is a quick command-line curses view of the traffic total on your interface sudo apt-get install nload Example: % nload -u m -i 200 megabits/second, 200msec update interval TRY IT! 23
NLOAD 24
IPTRAF Curses View of Active Talkers and Interface Statistics Top Talkers, SRC and DEST Sortable by Packet Total, Byte Total ETC. Text "monitor" == TCP Connections, Source/Dest "Detailed" == Interface Only Statistics "Statistical Breakdown" == by Protocol/Port "Lan Station Monitor" == by MAC Address 25
IPTRAF Other Options: o R for DNS Lookups F force promiscuous mode M show packet sizes Filters: Edit Filter, Attach Filter, Detach Filter 10.1.1.1/0:65535 <-> 0.0.0.0/0:0 Must Specify Port Ranges SRC/DST Reporting is TCP Only 26
IPTRAF Can also run a Batch Mode to a File % iptraf -i eth0 -B % pkill iptraf % cd /var/log/iptraf TRY IT! 27
IPTRAF 28
GRAPHICAL TOOLS 29
WIRESHARK http://www.wireshark.org/ More than Just a Sniffer Protocol Decoding Transport Stream Reassembly Used to Be Ethereal Supports Filter Expression Matching Supports Reading/Writing Various Captures Formats Text-based version is: "tshark" 30
WIRESHARK Standard Packet Format is "pcap", (like tcpdump) Filter Language is like tcpdump filters Output Display Format Supports Naming ethernet oui, tcp/udp ports, hostnames Protocol and Traffic Statistics Reporting % sudo apt-get install wireshark TRY IT! 31
WIRESHARK 32
EtherApe Creates a MESH of Talking Nodes In A Window Lines in the MESH Get Wider as Traffic Increases Includes Protocol Statistics Some filtering expression capabilities 33
NTOP Network Monitor Daemon http://www.ntop.org/ Luca Deri, University of Pisa Project is now Ten Years Old!!! Named after "%top", but for Networks Builtin Web Server Interface Builtin RRD Graphing 34
NTOP FEATURES Traffic Characterization Host Characterization, History, Protocols Network Interface Statistics Graphs ASN Reporting sflow/netflow Reporting Can act as Both a Receiver and Sender of NetFlow ThruPut Reports Activity Reports Plugins Provide Additional Feature 35
NTOP Installation % apt-get install ntop % dpkg -L ntop NTOP Configuration: /etc/ntop NTOP Configuration: /var/lib/ntop/init.cfg % sudo ntop --set-admin-password % /etc/init.d/ntop start Now Point Your Browser At: http://localhost:3000 TRY IT! 36
NTOP 37
HACKER TOOLS 38
DRIFTNET A Sniffer for Grabbing Image Files http://ex-parrot.com/~chris/driftnet/ Also Located on the BackTrack CD % locate driftnet Also able to Grab MPEG Audio Files So the Hackers Can Grab Files Too!!! TRY IT! 39
DRIFTNET 40
DSNIFF Dug Song http://www.monkey.org/~dugsong/dsniff/ DSniff, Usenix Conference, Year 2000 Producing Behavior Change Through Embarrassment! A Collection of Tools 41
DSNIFF What Tools Does The DSNIFF Package Include? dsniff, arpspoof, dnsspoof, macof, sshmitm, webmitm, filesnarf, webspy What Kind of Password Strings Does it Grab? FTP, Telnet, HTTP,POP,poppass, NNTP,IMAP,SNMP, LDAP,Rlogin, RIP,OSPF,NFS, YP, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster,PostgreSQL, Meeting Maker,Citrix ICA, Symantec 42
DSNIFF DSNIFF Report: Did we see any ClearText Passwords? 43